Classic X.509 CAs with secured infrastructure

Traditional credential authorities issue long-term credentials to
end-entities who will themselves posses and control their key pair and their
activation data. These authorities act as an independent trusted third
party for both subscribers and relying parties within the infrastructure.
The identity of the subscribers is vetted through a face-to-face or equivalent
process.